The present disclosure generally relates to an identification, authentication and authorization method and, in particular, relates to an identification, authentication and authorization method for laboratory systems and a corresponding laboratory system configured to utilize the disclosed method.
Identification and authentication techniques typically are based on one or more of three major factors: “something you know”; “something you are” and “something you have”. In order to provide sufficient security, but also flexibility, authentication services of laboratory systems should be able to use different means (credential providers) for authentication like LDAP (for systems well integrated with the laboratory IT environment), identification tags (e.g., Smart Card or RFID), biometrics, or in simple systems via user ID and password.
Depending on the specific required security level, a variety of identification and authentication schemes are employed, for example:    Identification only: identification tag without identity confirmation (also known as 1-factor authentication—“what you have”)    Identification and authentication: identification tag with identity confirmation (also known as 2-factor authentication—“what you have” and “what you know”)
In order to comply with ever more stringent regulatory requirements related to authentication and authorization, users of laboratory systems are required to authenticate themselves for each laboratory device, for each laboratory data management system and for each laboratory information system using two-factor authentication. i.e., by identification (e.g., by an identification tag such as a radio frequency identification RFID tag) and identity confirmation (e.g., by a password or personal identification number PIN and the like). Regulatory compliance requires that users' activity at laboratory device(s) is documented in an audit trail, i.e. results production relevant action(s) are associated with the authenticated user.
In an exemplary scenario, a laboratory system comprising multiple laboratory devices (e.g., clinical lab instruments) is run during each work shift by multiple users. Each user is capable and permitted to operate at least a subset of these laboratory devices, meaning that the users may change their work places—usually many times—during a work shift. At the same time, laboratory devices of the laboratory system may enable multiple authorized users to work only during certain periods of time (e.g., work shifts).
With the currently available laboratory systems, the two-factor authentication needs to be performed multiple times per laboratory device and per working shift, all of which is highly inconvenient and results in significant productivity losses for the users. In response, quite often users of laboratory systems tend to use collective user accounts (multiple users “sharing” the same identification data and identity confirmation data) and/or fail to log out of laboratory devices between tasks and/or use other user's credentials, thereby invalidating regulatory compliance and compromising the entire security mechanism of the laboratory.
Thus there is a high demand for improving the identification, authentication and authorization workflows in laboratory systems in order to simplify the user-laboratory device interactions.
Some laboratory systems comprise non-networked laboratory devices which are not communicatively connected to other laboratory devices, data management systems and user management systems. It is however very difficult and resource-intensive to ensure regulatory compliance in laboratory systems comprising such non-networked laboratory device(s) as identification data and/or authentication data cannot be seamlessly synchronized with the rest of the systems in the laboratory.
In addition, some laboratories include one or more closed system laboratory devices that are not configurable to carry out this method without additional hardware. These closed system laboratory devices include legacy devices which lack the hardware to be configured to implement sufficient security measures (i.e., without additional hardware). Alternatively, laboratory devices which, while having the hardware resources, for some reason are not open to being reconfigured to be correspondingly (re)configured. The latter may be, for example, the case for devices from different vendors. An even further case might be when reconfiguration of existing laboratory devices is prevented by regulatory constraints. Nevertheless, closed system laboratory device(s) are often integrated into laboratory systems as their replacement with newer/other instruments is in many cases economically unjustifiable.
Therefore, there is a need to provide a secure, but at the same time convenient, identification, authentication and authorization method for a laboratory system, which can be extended to non-networked and closed system devices. In other words, there is a need to provide a solution that reduces the non-productive time users would otherwise spend for identification and authentication at laboratory devices while still maintaining high levels of security and traceability of user interactions with the laboratory devices to ensure compliance with regulatory requirements.